W3C home > Mailing lists > Public > public-ldp-wg@w3.org > November 2012

Re: LDP with Access Control, or future LDPS(ecure)?

From: Henry Story <henry.story@bblfish.net>
Date: Wed, 14 Nov 2012 15:16:24 +0100
Cc: public-ldp-wg@w3.org
Message-Id: <7752E448-A1CE-4316-A0C6-C19420CBF4D7@bblfish.net>
To: ashok.malhotra@oracle.com

On 14 Nov 2012, at 15:06, Ashok Malhotra <ashok.malhotra@oracle.com> wrote:

> Henry:
> The access control rules have to be processed by the underlying storage engine
> and tend to be rather simple.  For example the SQL statement to grant access has the form
> 
> GRANT privilege ON object TO entity
> 
> The underlying store may not have the capability to process RDF statements like your example.

I would tend to say that that is a different level of access control. The only thing
we can specify at the level of LDP are restful patterns: that is we can name resources
by URI, limit Access control at the level of HTTP verbs, etc.... How that is implemented
in an SQL store is not something that should transpire to this level. 

It is the J2EE layer that deals with how to fetch resources from DBs, triple stores, etc...
There are many standards in that space. At the W3C layer one has to work with HTTP abstractions.

Henry

> 
> All the best, Ashok
> 
> On 11/14/2012 5:41 AM, Henry Story wrote:
>> On 14 Nov 2012, at 14:18, Ashok Malhotra<ashok.malhotra@oracle.com>  wrote:
>> 
>>> Hi Andy:
>>> There are a bunch of cases like this.  For example, take personnel records.
>>> These are typically restricted to HR folks but you can always see your own records.
>>> Need to think some more about where to draw the line between access control
>>> and LDP functionality
>> Why is this problematic? Can you not just use the following rule to do what
>> you want?
>> 
>> @prefix wac:<http://www.w3.org/ns/auth/acl#>  .
>> 
>> [] wac:accessToClass [ wac:regex "https://oracle.com/u/.*" ];
>>    wac:mode wac:Read, wac:Write, wac:Control;
>>    wac:agentClass<https://oracle.com/g/team/admin#it>  .
>> 
>> [] wac:accessToClass [ wac:regex "https://oracle.com/u/123123/.*" ];
>>    wac:mode wac:Read;
>>    wac:agent<https://oracle.com/u/123123#i>  .
>> 
>> the wac:regex relation does not exist. One should probably use powder, but I wanted
>> to implement something really simple to test this out. It just took a couple of
>> days to write and test:
>> 
>>  https://github.com/read-write-web/rww-play/blob/master/app/test/WebACLTestSuite.scala#L147
>> 
>> How to specify regular expressions in WAC would be nice, and would be a topic for
>> discussion for the Access Control Teleconf
>> 
>>  http://lists.w3.org/Archives/Public/public-ldp-wg/2012Nov/0156.html
>> 
>> It would be useful to work out what the problem is so I can add it to ACTION-28
>> 
>>> All the best, Ashok
>>> 
>>> On 11/14/2012 3:04 AM, Andy Seaborne wrote:
>>>> 
>>>> On 12/11/12 20:48, Henry Story wrote:
>>>>> Luckily Access Control is orthogonal to LDP
>>>> I hope that's true but I don't see why it must be so.
>>>> 
>>>> The LDP spec covers operations on resources and containers and does not mention access control.
>>>> 
>>>> Use case: I create bugReportSecurity57 about a security issue.  I want it restricted because the information contained allows an attacker to exploit the security hole.  Bug reports are normally publicly readable.
>>>> 
>>>> What is the operation flow to create a secure bug report if normally bug reports are publicly readable?  (if they are not by default publicly readable, what operation on them makes them so?)
>>>> 
>>>> Or concretely: what triples are PUT where?
>>>> 
>>>>    Andy
>>>> 
>>>> 
>> Social Web Architect
>> http://bblfish.net/
>> 
> 

Social Web Architect
http://bblfish.net/



Received on Wednesday, 14 November 2012 14:17:02 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:11:42 UTC